Hey guys,
One of my servers recently upgraded to 5.4.44* which appears to follow the convention many other distros have chosen, enforcing kernel lockdown mode when secureboot is enabled. Secureboot is critical to our security posture for protecting our servers against evil maid attacks and disabling it is an untenable solution.
On my debian system I've been running with secureboot enabled and lockdown enforcing for months without issue, however it appears that a stock proxmox install has kernel taint/unsigned modules which causes significant issues when lockdown is enforced as the current kernel does.
These are production systems, please disable enabling kernel lockdown by default in the pve kernel until the system can be booted without throwing these errors.
Happy to provide additional details. Reverting my systems to 5.3 resolved this issue as that version appears to not have the kernel lockdown feature.
Regards!
One of my servers recently upgraded to 5.4.44* which appears to follow the convention many other distros have chosen, enforcing kernel lockdown mode when secureboot is enabled. Secureboot is critical to our security posture for protecting our servers against evil maid attacks and disabling it is an untenable solution.
On my debian system I've been running with secureboot enabled and lockdown enforcing for months without issue, however it appears that a stock proxmox install has kernel taint/unsigned modules which causes significant issues when lockdown is enforced as the current kernel does.
These are production systems, please disable enabling kernel lockdown by default in the pve kernel until the system can be booted without throwing these errors.
Happy to provide additional details. Reverting my systems to 5.3 resolved this issue as that version appears to not have the kernel lockdown feature.
Regards!
